Email breaches in three states expose protected health information

Three recently reported email system breaches in three states exposed protected health information. In each case, in addition to working with law enforcement and contacting individuals affected by the breach, officials with each healthcare entity stated that they are stepping up efforts so it won’t happen again, including doing more employee security training.


“We are committed to taking steps to help prevent something like this from happening again, including evaluating additional platforms for educating staff and reviewing technical controls,” read a statement released by Navicent Health, the second-largest hospital in Georgia. Investigation of a breach that occurred there last summer concluded in late January.

The cyberattack was limited to employee email accounts and did not impact Navicent’s network or EHR system, however it was determined that accounts containing patient names, dates of birth, addresses, and limited medical data, like billing and appointment information, were accessed. Some patients’ Social Security numbers were compromised in the attack.


In Frederick, Maryland, a phishing attack was discovered on January 21 at Frederick Regional Health System. An analysis of the account revealed emails and attachments contained information of patients who had received hospice services between June 2017 and January 2019.

The organization reports that security has since been enhanced and further email security training has been provided to employees.


In Duluth, Minnesota, while performing a routine analysis of email logs on January 25, the Human Development Center (HDC) discovered the email account of an employee was accessed by an unauthorized individual on two occasions on January 16 and 18, 2019. Upon review of the information within the email account, client names, date of birth, internal HDC client numbers, internal HDC description of services and a limited number of procedure codes were found.

HDC said it has investigated how the breach happened and key steps have been taken to help manage inappropriate cybersecurity attacks in the future.

Phishing Testing and Training Program

As these three reports show, there’s no shortage of email breaches in healthcare. And even as we head into the next quarter of 2019, it’s unlikely to change, unless (yes, there is thankfully an unless) more organizations do more upfront to prevent email breaches and phishing attacks from happening in the first place.

PrivaPlan can help. We offer a fully managed Phishing Testing and Training Program. For more information and to request a free trial phishing test to find out what your risk level is, contact our HIPAA experts at 1-877-218-7707or


Related Posts

What’s On Your Website?

The partnership combines PrivaPlan’s industry-leading guidance with Cyndelos’ AI technology to pinpoint website vulnerability and uphold website compliance.

Learn More +

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.